The EU-US Data Privacy Framework (DPF) is the adequacy mechanism that lets UK and EU research institutions send personal data to self-certified US collaborators without signing Standard Contractual Clauses, provided the US recipient holds active DPF status covering the right data category. Where a collaboration involves health, genetic or other sensitive research data, extra labelling duties apply before the transfer can rely on the Framework at all.
The EU-US Data Privacy Framework is a voluntary self-certification scheme, administered by the US Department of Commerce and underpinned by the European Commission’s 10 July 2023 adequacy decision, that recognises participating US organisations as offering GDPR-equivalent protection for personal data received from the EEA. A parallel UK adequacy instrument extends the same recognition to transfers made under UK GDPR. For research offices coordinating cross-border studies, biobanks, consortium agreements or collaborative datasets with US partners post-Brexit, choosing correctly between the DPF, the UK Extension and Standard Contractual Clauses (SCCs) determines whether a transfer is lawful on day one or exposed to later challenge.
- What is the EU-US Data Privacy Framework?
- How does the UK Extension (Data Bridge) work post-Brexit?
- EU-US Data Privacy Framework vs Standard Contractual Clauses for research data
- Data sharing agreement vs data processing agreement: which applies?
- What special rules apply to sensitive research data?
- Frequently asked questions
- Implications for research institutions
What is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework replaced the invalidated EU-US Privacy Shield after the Court of Justice of the European Union’s 2020 Schrems II ruling found US surveillance law did not offer equivalent protection. The European Commission’s adequacy decision of 10 July 2023 concluded that the DPF ensures an adequate level of protection for personal data transferred to certified US organisations, removing the need for Standard Contractual Clauses on covered transfers.
Eligibility is narrower than it first appears. Only US organisations regulated by the Federal Trade Commission or the Department of Transportation may self-certify, which excludes many non-profits, banks, insurers and telecoms — categories that include some university-affiliated research foundations and repositories. Institutions must verify a partner’s active status on the official DPF list before relying on it, and confirm the certification covers the specific data category (HR or non-HR) being shared.
How does the UK Extension (Data Bridge) work post-Brexit?
Since Brexit, UK organisations cannot rely on the EU adequacy decision directly. The Data Protection (Adequacy) (United States of America) Regulations 2023 created a separate UK Extension — commonly called the UK-US Data Bridge — which came into force on 12 October 2023 and lets UK organisations, including universities and Gibraltar-based bodies, make restricted transfers to US businesses that have separately self-certified to the UK Extension.
Per the Information Commissioner’s Office, a UK institution relying on the Data Bridge must confirm the US recipient has active status on the DPF list, has specifically opted into the UK Extension (not only the EU-US DPF), and that its registration covers the correct data type. Periodic re-checks are required, since a US partner can lose or withdraw certification at any point during a live research project.
EU-US Data Privacy Framework vs Standard Contractual Clauses for research data
Where a US collaborator is not DPF-certified — common among smaller labs, non-profits and public bodies outside FTC/DoT jurisdiction — Standard Contractual Clauses remain the fallback transfer mechanism. UK exporters use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU’s SCCs, and, following Schrems II, must complete a Transfer Risk Assessment (TRA) examining whether US law could undermine the contractual protections.
| Feature | DPF / UK Extension (Adequacy) | Standard Contractual Clauses (SCCs) |
|---|---|---|
| Legal basis | Adequacy decision (EU) / adequacy regulations (UK) | Contractual safeguard under UK GDPR Art. 46 / EU GDPR Art. 46 |
| Recipient eligibility | Limited to self-certified, FTC/DoT-regulated US organisations | Any US recipient, regardless of sector |
| Transfer Risk Assessment required | No | Yes, mandatory since Schrems II |
| Sensitive/special category data | Must be explicitly flagged as “sensitive” to the recipient | Protections negotiated within the contract and TRA |
| Ongoing obligation | Periodic verification of active DPF/UK Extension status | Periodic review of the TRA and supplementary measures |
Many research offices now adopt a “belt and braces” approach: relying on the Data Bridge where a partner is certified, while keeping SCCs signed as a fallback in case certification lapses mid-project — a real risk, since a US partner can be forcibly removed from the DPF list by the Department of Commerce.
Data sharing agreement vs data processing agreement: which applies?
A data sharing agreement (DSA) and a data processing agreement (DPA) serve different roles in a research collaboration, and confusing them is a common compliance gap. A DSA is used when two institutions each act as independent or joint controllers — for example, two universities pooling anonymised survey results for a shared analysis. A DPA (required under UK GDPR Article 28) is used when one party processes data solely on the instructions of another, such as a US cloud vendor hosting a UK institution’s research dataset.
- Use a DSA when both parties determine the purposes of processing (joint or independent controllers).
- Use a DPA when one party is a processor acting only on the controller’s documented instructions.
- Either document sits alongside, not instead of, the transfer mechanism (DPF, UK Extension or SCCs) — the agreement governs the relationship; the mechanism governs the lawfulness of the cross-border movement itself.
What special rules apply to sensitive research data?
Research data frequently includes health records, genetic material or biobank samples — categories UK GDPR classifies broadly as special category data. The DPF’s definition of “sensitive data” is narrower: only genetic data, biometric data used for unique identification, information about sexual orientation, and criminal offence data are covered, and only if the UK or EU sender proactively identifies and marks them as sensitive before transfer.
This is a frequently overlooked gap for research consortia: personal data revealing ethnicity, religion, trade union membership or health status more broadly is special category data under UK GDPR but is not automatically treated as sensitive under the DPF unless explicitly flagged. Institutions transferring such data should apply a persistent classification (metadata tags or labelling) that survives onward sharing by the US recipient, and document this step in the study’s data management plan.
Frequently asked questions
What is the EU-U.S. Data Privacy Framework?
The EU-U.S. Data Privacy Framework is a self-certification scheme allowing US organisations to receive personal data from the EEA under an EU adequacy decision. It replaced the invalidated Privacy Shield and removes the need for Standard Contractual Clauses for covered, certified transfers.
What happened to the EU-US Privacy Shield?
The Privacy Shield was invalidated in July 2020 by the Court of Justice of the EU in Schrems II, which found US surveillance access to personal data was not sufficiently limited. The Data Privacy Framework was negotiated as its successor and adopted in 2023.
What is the status of the EU-U.S. Data Privacy Framework?
As of mid-2026 the DPF remains in force, with the EU adequacy decision, the UK Extension and the Swiss-US DPF all active, though the mechanism continues to face legal challenges in the European courts, as its predecessors did.
Implications for research institutions
For research administrators managing international collaborations, the practical task is procedural discipline: verify DPF or UK Extension status before every transfer, not just at project setup; classify sensitive data explicitly; and keep SCCs and a completed Transfer Risk Assessment on file as a contingency. Given the DPF’s contested legal history, institutions that treat adequacy as a convenience rather than a permanent guarantee will be best placed to keep collaborations lawful if the Framework is narrowed or challenged again.
These obligations sit within the broader compliance landscape that research administration teams increasingly own alongside funders, ethics committees and legal counsel — making data transfer literacy as core to running an international study as the science itself.








